Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

ff6c9f5451...18.exe

windows7-x64

7

ff6c9f5451...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 13:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    ff6c9f545143b78ab33f7bab8f8c06b2

  • SHA1

    db07d2fbbccf51e9cf3ff88219858c301a96ae5f

  • SHA256

    0f6517cbdb0e1c10059545a41fffc813730a05bbe48c6cb34645f6fb4a0194b8

  • SHA512

    37daf4d513165848e415ce98c7aefdf0b83f0c5b194e2dfe75557e8938aad4ebf2f40024cfdd2d08e2629d7d56ae938d0f9446c18af9338fc82e9c1c7ee2f80b

  • SSDEEP

    24576:jfc5Aea9cpvmClNb10hJaothZ2/T6FBBjNPI5lqkfZSkHR82b10hJaothZ2/T6FP:mAea9eHh/ofqg4/ofp

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Local\Temp\ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2844

Network

  • flag-us
    DNS
    pastebin.com
    ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
    Response
    pastebin.com
    IN A
    104.20.4.235
    pastebin.com
    IN A
    172.67.19.24
    pastebin.com
    IN A
    104.20.3.235
  • flag-us
    GET
    https://pastebin.com/raw/ubFNTPjt
    ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    Remote address:
    104.20.4.235:443
    Request
    GET /raw/ubFNTPjt HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
    Host: pastebin.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Sun, 21 Apr 2024 13:52:07 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 15034
    Connection: close
    Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    cf-chl-out: mqDWfJdkpIdt/U+FZ2prVNIBcbp0RXJSh6xu8QFUOjMRxCe0nOobzhKNk0RiYrex1WiNz5b0CASaqPyIXzLithYvsEZpVzAIDnGFSUqBR58=$I3dSwcYM5UzDUgzuhNYLew==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Server: cloudflare
    CF-RAY: 877dda4f1e1894cc-LHR
  • 104.20.4.235:443
    https://pastebin.com/raw/ubFNTPjt
    tls, http
    ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    1.4kB
     23.3kB
     19
    27

    HTTP Request

    GET https://pastebin.com/raw/ubFNTPjt

    HTTP Response

    403
  • 8.8.8.8:53
    pastebin.com
    dns
    ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    58 B
     106 B
     1
    1

    DNS Request

    pastebin.com

    DNS Response

    104.20.4.235
    172.67.19.24
    104.20.3.235

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\ff6c9f545143b78ab33f7bab8f8c06b2_JaffaCakes118.exe
    Filesize

    1.5MB

    MD5

    d2d8d967b045cd5d951bae6da6178763

    SHA1

    c9585e27bc3d3c061a0b72eec281711fb55bd65b

    SHA256

    c1b27e8be1e27b8a4efe674db397d68907ad5ed71721fc9f6b05004aec2fc714

    SHA512

    6037e386b0a40c86e9075eb75c7ecf7815586a12693aaf75c1c061068aa454b56127b07f2d85d0ed9e295db1d1113cdcf7d5317fe3c4bd083b0fb223de9ecde8

    Download Submit

  • memory/1708-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1708-2-0x0000000000190000-0x00000000001F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1708-1-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1708-13-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2844-15-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2844-16-0x0000000000340000-0x00000000003A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2844-23-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2844-22-0x0000000002B90000-0x0000000002BEF000-memory.dmp

    Filesize

    380KB

    Download

  • memory/2844-44-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2844-49-0x000000000FA30000-0x000000000FA6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2844-50-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.